How to Fix Plesk Let's Encrypt Certificate Renewal Failed Error

Priya

Content Writer & Researcher

Last Updated: 20 June 2026

How to Fix Plesk Let's Encrypt Certificate Renewal Failed Error

🖥️

SSL Renewal Failing on Your Plesk Server? Let Us Fix It

A failed Let's Encrypt renewal means HTTPS breaks for all your clients overnight. CloudHouse's server management team proactively monitors and renews certificates across your entire Plesk environment. Don't let SSL become your clients' problem.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

You deploy a website, install a Let's Encrypt certificate through Plesk, and everything works perfectly — until one day the browser shows a red padlock and users start complaining about "connection not private" warnings. What happened? Plesk's automatic Let's Encrypt renewal silently failed. This is one of the most disruptive issues for hosting providers because the renewal process runs in the background and only shows its failure after the certificate has already expired. This guide walks you through every common cause and fix.

Why Does Plesk Let's Encrypt Renewal Fail?

Let's Encrypt certificates are valid for 90 days and Plesk tries to auto-renew them 30 days before expiry. Renewal fails when the ACME challenge — the process Let's Encrypt uses to verify domain ownership — cannot complete. The main causes are:

DNS pointing to a different server: The domain's DNS records have changed (e.g., after a migration) and no longer point to your Plesk server's IP
Port 80 blocked: HTTP-01 ACME challenge requires port 80 to be accessible from the internet
Incorrect TXT record (DNS-01 challenge): When using external DNS, the _acme-challenge TXT record is stale or missing
ModSecurity blocking the ACME challenge: WAF rules intercept the .well-known/acme-challenge/ request
Certificate used by Plesk panel itself: Attempting to delete a cert that secures the Plesk UI causes an error
Rate limiting: Let's Encrypt caps renewals at 5 per domain per week — hitting the limit during testing locks you out temporarily

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Step 1: Read the Renewal Error Log

The first thing to do is read the actual error message — Plesk logs all Let's Encrypt activity in detail.

1Open the Plesk panel log:

tail -n 200 /var/log/plesk/panel.log | grep -i "letsencrypt\|acme\|certifi"

On Windows Plesk, the log is at %plesk_dir%dmin\logs\panel.log.

2Check the Let's Encrypt extension log:

tail -n 100 /var/log/plesk/letsencrypt.log

Common error messages you'll see:

Could not issue a Let's Encrypt SSL/TLS certificate for example.com — domain validation failed
Incorrect TXT record found at _acme-challenge.example.com — DNS-01 challenge failure
Timeout during connect — port 80 blocked or server unreachable
too many certificates already issued — rate limit hit

3Check what IP the domain resolves to:

dig +short example.com A

4Compare with your server's actual IP:

curl -s ifconfig.me

If these differ, the certificate cannot be renewed until DNS is updated. If the domain uses Cloudflare or another proxy, make sure the IP resolves to your origin, not the CDN edge — or switch to DNS-01 challenge validation (see Step 5).

5Test port 80 is reachable externally:

curl -v http://example.com/.well-known/acme-challenge/test

You should get a 404 (file not found) — which is fine, it means port 80 is open. A connection refused or timeout means port 80 is blocked.

6Check your firewall in Plesk: Go to Tools & Settings > Firewall. Confirm that port 80 (HTTP) is in the allow list for incoming connections.

7. Check iptables directly:

iptables -L INPUT -n | grep "dpt:80"

If there is no ACCEPT rule for port 80, add it or modify your firewall configuration through Plesk.

8Create a ModSecurity exclusion for the ACME challenge path. In Plesk, go to Tools & Settings > Web Application Firewall (ModSecurity) and add a rule exclusion, or edit the Apache configuration file for the domain:

<Location "/.well-known/acme-challenge/">
    SecRuleEngine Off
</Location>

9. Alternatively, temporarily disable ModSecurity for the domain during renewal: Go to Domains > example.com > Apache & nginx Settings and disable WAF, trigger renewal, then re-enable.

Step 5: Fix Incorrect DNS TXT Record (DNS-01 Challenge)

If you're using an external DNS provider (not Plesk's built-in DNS), Plesk cannot automatically manage the _acme-challenge TXT record required for DNS-01 validation.

10. Check the current TXT record at your DNS provider:

dig TXT _acme-challenge.example.com

If the record is absent or has an old value, Let's Encrypt will fail DNS validation.

11Switch to HTTP-01 challenge in the Let's Encrypt extension. In Plesk, go to Domains > example.com > SSL/TLS Certificates > Let's Encrypt. If the DNS-01 challenge is configured, switch to HTTP-01 (domain webroot method) — this works as long as port 80 is open and DNS points to your server.

Step 6: Fix "Certificate Used by Plesk" Error

A specific error occurs when renewing a domain certificate that also secures the Plesk panel or mail server:

"Failed to renew Let's Encrypt certificate: One of the certificates you are going to delete is used for securing Plesk"

12. Issue a separate certificate for the Plesk panel. Go to Tools & Settings > SSL/TLS Certificates. Click the pencil icon next to the certificate used for the Plesk panel and select a different certificate (or issue a new one for the server's hostname only).

13. Then renew the domain certificate normally. Once the panel certificate is separated, the domain's renewal will complete without the conflict.

Step 7: Manually Trigger a Renewal

After addressing the root cause, manually trigger renewal rather than waiting for the next auto-renewal cycle.

14. Via Plesk GUI: Go to Domains > example.com > SSL/TLS Certificates. Click on the Let's Encrypt certificate entry and click Re-issue.

15. Via Plesk CLI:

plesk ext letsencrypt --renew -domain example.com

Watch the output for any error messages. If renewal succeeds, you'll see a confirmation that the certificate has been updated.

16Verify the new expiry date:

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

The notAfter field should show a date 90 days from today if renewal succeeded.

Preventing Future Renewal Failures

To avoid unexpected certificate expiry:

Ensure DNS records are stable and point to your Plesk server before provisioning Let's Encrypt

Keep port 80 open permanently — many admins close it thinking HTTPS is sufficient, but ACME needs it

Use Plesk's built-in DNS zone when possible, as it manages TXT records automatically

Set up email alerts in Plesk for certificate expiry under Tools & Settings > Notifications

Consider a managed server management service to monitor certificate renewals across all domains automatically

Conclusion

Plesk Let's Encrypt renewal failures almost always trace back to one of six root causes: DNS mismatch, port 80 blocked, ModSecurity interference, external DNS TXT record issues, certificate conflicts with the Plesk panel, or rate limiting. By reading the panel log first and working through each cause systematically, you can restore HTTPS within minutes and configure the server to prevent the same failure from recurring.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Plesk auto-renews Let's Encrypt certificates 30 days before expiry as a background task. If it fails, the failure is logged in /var/log/plesk/panel.log and /var/log/plesk/letsencrypt.log, but there's no visible alert in the panel unless you have email notifications configured. The certificate continues working until it expires, so the failure often goes unnoticed until clients report browser warnings.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...